Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,120 --> 00:00:02,009 Instructor: When it comes to penetration testing, 2 00:00:02,009 --> 00:00:04,170 planning is incredibly important. 3 00:00:04,170 --> 00:00:06,990 There are three major factors for any assessment. 4 00:00:06,990 --> 00:00:09,750 Time cost, and quality. 5 00:00:09,750 --> 00:00:11,850 These three factors are always in competition 6 00:00:11,850 --> 00:00:14,250 with each other and decisions on their priority 7 00:00:14,250 --> 00:00:17,190 have to be agreed upon between the penetration tester 8 00:00:17,190 --> 00:00:20,490 and the organization that's contracting that engagement. 9 00:00:20,490 --> 00:00:23,580 For example, if you want the assessment to be faster, 10 00:00:23,580 --> 00:00:25,050 it's gonna cost you more money 11 00:00:25,050 --> 00:00:28,080 or it's gonna require a lower quality threshold. 12 00:00:28,080 --> 00:00:30,960 If you want a really in depth and high quality engagement, 13 00:00:30,960 --> 00:00:32,910 then it might cost additional resources 14 00:00:32,910 --> 00:00:34,680 in terms of people and money, 15 00:00:34,680 --> 00:00:37,080 or it might take you more time. 16 00:00:37,080 --> 00:00:40,140 If you want an inexpensive penetration test to be conducted 17 00:00:40,140 --> 00:00:42,420 then you really shouldn't expect it to be high quality 18 00:00:42,420 --> 00:00:44,220 or really quick. 19 00:00:44,220 --> 00:00:47,250 Again, these are competing factors that you must consider 20 00:00:47,250 --> 00:00:48,420 during your planning, 21 00:00:48,420 --> 00:00:49,980 and it's also important to understand 22 00:00:49,980 --> 00:00:51,660 what the company is expecting 23 00:00:51,660 --> 00:00:54,960 and what you can provide during the proposed timeframe. 24 00:00:54,960 --> 00:00:56,730 There are various areas of consideration 25 00:00:56,730 --> 00:00:58,470 when you're planning an assessment. 26 00:00:58,470 --> 00:00:59,820 This includes things like, 27 00:00:59,820 --> 00:01:00,746 who is the target audience? 28 00:01:00,746 --> 00:01:03,240 What is the objective? 29 00:01:03,240 --> 00:01:05,550 Is this a compliance based assessment? 30 00:01:05,550 --> 00:01:07,590 What resources are required? 31 00:01:07,590 --> 00:01:10,320 Who will we communicate with and how often? 32 00:01:10,320 --> 00:01:12,180 What product will be required to be presented 33 00:01:12,180 --> 00:01:13,950 at the end of the assessment? 34 00:01:13,950 --> 00:01:16,830 Are there technical constraints placed upon the engagement? 35 00:01:16,830 --> 00:01:20,640 And how comprehensive will the penetration test need to be? 36 00:01:20,640 --> 00:01:23,610 First, we have to ask who is the target audience 37 00:01:23,610 --> 00:01:25,020 for the penetration test 38 00:01:25,020 --> 00:01:27,480 and what kind of business do they perform? 39 00:01:27,480 --> 00:01:29,305 Are they a small local retail store 40 00:01:29,305 --> 00:01:31,080 that needs a simple payment card 41 00:01:31,080 --> 00:01:32,850 industry data security standard, 42 00:01:32,850 --> 00:01:36,120 or PCI DSS compliance penetration test, 43 00:01:36,120 --> 00:01:38,580 or are they a large multinational bank 44 00:01:38,580 --> 00:01:40,380 with offices all over the world 45 00:01:40,380 --> 00:01:43,590 who want you to test all 100,000 branches? 46 00:01:43,590 --> 00:01:45,540 Depending on the answer to these questions, 47 00:01:45,540 --> 00:01:48,150 the scope of your assessment is gonna be vastly different 48 00:01:48,150 --> 00:01:52,200 because of their different sizes, missions, and operations. 49 00:01:52,200 --> 00:01:55,770 Second, what is the objective of the penetration test? 50 00:01:55,770 --> 00:01:57,990 Is the organization contracting the engagement 51 00:01:57,990 --> 00:02:01,230 in order to meet a compliance requirement or regulation? 52 00:02:01,230 --> 00:02:02,760 Are they conducting due diligence 53 00:02:02,760 --> 00:02:04,650 in their testing and software assurance 54 00:02:04,650 --> 00:02:06,990 before a product is gonna be released? 55 00:02:06,990 --> 00:02:10,020 Both of these are valid objectives for a penetration test 56 00:02:10,020 --> 00:02:12,690 but each of them requires a different approach. 57 00:02:12,690 --> 00:02:15,510 By understanding your target audience and their budget, 58 00:02:15,510 --> 00:02:17,160 you can design a better engagement, 59 00:02:17,160 --> 00:02:19,290 that'll more efficiently and effectively 60 00:02:19,290 --> 00:02:21,210 meet their objectives. 61 00:02:21,210 --> 00:02:23,670 Third, what resources will be required 62 00:02:23,670 --> 00:02:25,920 to carry out the penetration test? 63 00:02:25,920 --> 00:02:28,110 For example, if my company was hired 64 00:02:28,110 --> 00:02:31,080 to do a penetration test on a large chain of retail stores 65 00:02:31,080 --> 00:02:32,850 that's located out in Hawaii, 66 00:02:32,850 --> 00:02:36,600 but that company is not allocated any funding for travel, 67 00:02:36,600 --> 00:02:38,370 then my team won't be able to conduct 68 00:02:38,370 --> 00:02:40,110 a physical penetration test 69 00:02:40,110 --> 00:02:42,990 because our offices are not located in Hawaii 70 00:02:42,990 --> 00:02:45,300 and we're gonna have to fly out there to do it. 71 00:02:45,300 --> 00:02:48,000 On the other hand, if they have a really large budget, 72 00:02:48,000 --> 00:02:51,150 then we can support a very large or in depth assessment 73 00:02:51,150 --> 00:02:54,060 including onsite testing of their physical security 74 00:02:54,060 --> 00:02:57,390 as well as resiliency to social engineering attacks. 75 00:02:57,390 --> 00:02:59,760 Now, we might also be able to fly people on site, 76 00:02:59,760 --> 00:03:02,490 hire contractors, have a longer timeline, 77 00:03:02,490 --> 00:03:03,540 increase the scope 78 00:03:03,540 --> 00:03:06,330 and have greater access to people in technology. 79 00:03:06,330 --> 00:03:08,376 However, if we're given a smaller budget, 80 00:03:08,376 --> 00:03:10,860 then we're gonna have to adjust the scope downward 81 00:03:10,860 --> 00:03:13,680 appropriately to meet those restrictions. 82 00:03:13,680 --> 00:03:16,350 Now, let's go back to the Hawaii example for a minute. 83 00:03:16,350 --> 00:03:18,720 Assuming that we have a smaller budget assigned 84 00:03:18,720 --> 00:03:20,460 we're then gonna have to minimize the scope 85 00:03:20,460 --> 00:03:22,380 to only provide an external assessment 86 00:03:22,380 --> 00:03:24,660 of those networks over the internet. 87 00:03:24,660 --> 00:03:26,790 Now, if that meets the company's objectives, 88 00:03:26,790 --> 00:03:29,040 then we can move into contract negotiation 89 00:03:29,040 --> 00:03:30,900 and start agreeing to a price. 90 00:03:30,900 --> 00:03:32,670 However, if it doesn't, 91 00:03:32,670 --> 00:03:35,460 then it's gonna be important to negotiate a larger budget 92 00:03:35,460 --> 00:03:37,680 in order to support an onsite assessment 93 00:03:37,680 --> 00:03:39,930 or we're gonna have to turn down the assignment 94 00:03:39,930 --> 00:03:41,970 and recommend they hire a penetration tester 95 00:03:41,970 --> 00:03:43,920 who is local to their company. 96 00:03:43,920 --> 00:03:45,540 Now, when we're looking at resources 97 00:03:45,540 --> 00:03:47,130 and requirements for this test, 98 00:03:47,130 --> 00:03:48,510 it's also important to consider 99 00:03:48,510 --> 00:03:50,550 what resources are gonna be needed 100 00:03:50,550 --> 00:03:53,850 and the costs associated with having those resources. 101 00:03:53,850 --> 00:03:55,230 Do we need to be onsite 102 00:03:55,230 --> 00:03:57,960 or can we achieve the same objectives remotely? 103 00:03:57,960 --> 00:04:00,420 Do we need the test done from inside the company network 104 00:04:00,420 --> 00:04:02,880 or from an outside perspective? 105 00:04:02,880 --> 00:04:05,940 What requirements must be met during the test? 106 00:04:05,940 --> 00:04:08,400 Do we need to use end-to-end encryption? 107 00:04:08,400 --> 00:04:10,890 All of these requirements will take up additional resources 108 00:04:10,890 --> 00:04:12,240 from the project. 109 00:04:12,240 --> 00:04:14,490 For example, if we're gonna be required to test 110 00:04:14,490 --> 00:04:17,040 for both known and unknown vulnerabilities, 111 00:04:17,040 --> 00:04:19,140 we're gonna have to come up with our own exploits 112 00:04:19,140 --> 00:04:22,470 which cost us more time, more money, and more resources, 113 00:04:22,470 --> 00:04:25,410 than using existing toolkits like the Metasploit Framework 114 00:04:25,410 --> 00:04:28,710 with its open source and well-documented exploits. 115 00:04:28,710 --> 00:04:30,930 Next, we need to ask if this test 116 00:04:30,930 --> 00:04:33,270 is part of a compliance based assessment. 117 00:04:33,270 --> 00:04:35,850 If so, the engagement becomes a little easier 118 00:04:35,850 --> 00:04:38,670 because there are checklists provided by most organizations 119 00:04:38,670 --> 00:04:41,760 or legislative bodies, for your testers to utilize 120 00:04:41,760 --> 00:04:44,040 and this will ensure that all of the appropriate devices 121 00:04:44,040 --> 00:04:46,350 have been scanned to the appropriate level. 122 00:04:46,350 --> 00:04:50,490 For example, a PCI DSS scan has a specific checklist 123 00:04:50,490 --> 00:04:52,500 that an assessor or penetration tester 124 00:04:52,500 --> 00:04:54,660 has to utilize to verify compliance 125 00:04:54,660 --> 00:04:57,210 with the PCI DSS standards that are used 126 00:04:57,210 --> 00:04:59,040 for credit card processing. 127 00:04:59,040 --> 00:05:00,660 Even though we're gonna cover the details 128 00:05:00,660 --> 00:05:02,850 of those during the scoping of our assessments, 129 00:05:02,850 --> 00:05:05,730 it's also important early on to be able to outline them 130 00:05:05,730 --> 00:05:07,290 in the planning phase to ensure 131 00:05:07,290 --> 00:05:09,330 that the organization understands the level 132 00:05:09,330 --> 00:05:11,160 of resourcing that's going to be needed 133 00:05:11,160 --> 00:05:13,380 to meet the proposed requirements. 134 00:05:13,380 --> 00:05:14,700 Now, during our planning, 135 00:05:14,700 --> 00:05:17,610 we're also gonna outline our communication plan. 136 00:05:17,610 --> 00:05:19,920 Who can the penetration tester communicate with 137 00:05:19,920 --> 00:05:21,180 during this assessment 138 00:05:21,180 --> 00:05:23,910 and how often will that communication occur? 139 00:05:23,910 --> 00:05:26,370 For example, if the chief technology officer 140 00:05:26,370 --> 00:05:27,600 hired your company, 141 00:05:27,600 --> 00:05:29,670 are you only allowed to speak with them 142 00:05:29,670 --> 00:05:30,930 or can you also speak with 143 00:05:30,930 --> 00:05:32,760 the information technology department 144 00:05:32,760 --> 00:05:34,410 about the fact that you're planning to conduct 145 00:05:34,410 --> 00:05:36,030 a penetration test? 146 00:05:36,030 --> 00:05:37,260 The answer is gonna be dependent 147 00:05:37,260 --> 00:05:39,090 on your contract with the organization 148 00:05:39,090 --> 00:05:41,040 and whether they're trying to test their systems, 149 00:05:41,040 --> 00:05:43,680 their personnel, or both of these. 150 00:05:43,680 --> 00:05:45,390 Even if you're conducting a blind test 151 00:05:45,390 --> 00:05:48,270 to see if people fall for your tricks in social engineering, 152 00:05:48,270 --> 00:05:50,250 you still are gonna need a trusted agent 153 00:05:50,250 --> 00:05:51,810 inside that organization 154 00:05:51,810 --> 00:05:53,490 who you're gonna be able to communicate with 155 00:05:53,490 --> 00:05:55,320 if something is going wrong. 156 00:05:55,320 --> 00:05:56,910 This person will also contact you 157 00:05:56,910 --> 00:05:59,130 during the deconfliction process to determine 158 00:05:59,130 --> 00:06:00,390 if a detected attack 159 00:06:00,390 --> 00:06:02,550 is actually your penetration testing team 160 00:06:02,550 --> 00:06:04,470 or has some real threat actor 161 00:06:04,470 --> 00:06:06,630 actually hacked the organization. 162 00:06:06,630 --> 00:06:08,490 You need to have these lifelines established 163 00:06:08,490 --> 00:06:10,350 well before the testing begins 164 00:06:10,350 --> 00:06:13,350 so set this up while you're planning your engagement. 165 00:06:13,350 --> 00:06:15,900 Next, we should ask, what product or report 166 00:06:15,900 --> 00:06:18,145 will the penetration tester provide the organization 167 00:06:18,145 --> 00:06:20,850 at the conclusion of this engagement? 168 00:06:20,850 --> 00:06:22,590 Now, when we get to domain four, 169 00:06:22,590 --> 00:06:25,080 we're gonna talk all about reporting and communication 170 00:06:25,080 --> 00:06:27,390 in depth and I'm gonna provide you with the details 171 00:06:27,390 --> 00:06:29,730 of a standard penetration testing report. 172 00:06:29,730 --> 00:06:31,170 But keep in mind, 173 00:06:31,170 --> 00:06:33,480 these can be modified by the organization 174 00:06:33,480 --> 00:06:35,490 to whom you're providing the service. 175 00:06:35,490 --> 00:06:37,740 Some organizations I've worked with previously 176 00:06:37,740 --> 00:06:39,870 have requested the executive summary be provided 177 00:06:39,870 --> 00:06:42,330 as a brief using a PowerPoint format 178 00:06:42,330 --> 00:06:44,250 and others want to have something written 179 00:06:44,250 --> 00:06:46,140 in long form prose. 180 00:06:46,140 --> 00:06:48,030 We also need to find out how detailed 181 00:06:48,030 --> 00:06:49,500 the report needs to be. 182 00:06:49,500 --> 00:06:52,200 For example, if I've run a vulnerability scan 183 00:06:52,200 --> 00:06:54,300 I might have a 300 page document 184 00:06:54,300 --> 00:06:55,980 that I can provide to the organization 185 00:06:55,980 --> 00:06:58,170 with every single vulnerability that was discovered 186 00:06:58,170 --> 00:06:59,310 in their network, 187 00:06:59,310 --> 00:07:01,590 but most companies would rather us prioritize 188 00:07:01,590 --> 00:07:04,080 which vulnerabilities they need to address first 189 00:07:04,080 --> 00:07:05,490 as well as how much time and money 190 00:07:05,490 --> 00:07:07,290 it's gonna cost to fix them. 191 00:07:07,290 --> 00:07:09,330 Again, this is all negotiable 192 00:07:09,330 --> 00:07:12,120 and should be discussed during the planning phase. 193 00:07:12,120 --> 00:07:15,150 Next, is the customer gonna place any technical constraints 194 00:07:15,150 --> 00:07:16,920 on the penetration test? 195 00:07:16,920 --> 00:07:19,980 For example, are you allowed to test their database servers, 196 00:07:19,980 --> 00:07:22,230 their web servers, or their printers? 197 00:07:22,230 --> 00:07:24,780 Any limitations or constraints have to be understood 198 00:07:24,780 --> 00:07:26,070 during the planning phase 199 00:07:26,070 --> 00:07:28,320 so the assessment can be properly scoped. 200 00:07:28,320 --> 00:07:29,910 If I was testing an organization 201 00:07:29,910 --> 00:07:32,220 that focuses on manufacturing, for example, 202 00:07:32,220 --> 00:07:33,990 one of the big concerns I have 203 00:07:33,990 --> 00:07:36,570 is whether or not my team and I can conduct exploits 204 00:07:36,570 --> 00:07:38,910 against their ICS and SCADA systems 205 00:07:38,910 --> 00:07:41,430 because these systems are very likely to break 206 00:07:41,430 --> 00:07:43,800 if you're using standard penetration testing tools, 207 00:07:43,800 --> 00:07:45,690 if you don't know what you're doing. 208 00:07:45,690 --> 00:07:47,910 Often those systems are removed from the scope 209 00:07:47,910 --> 00:07:51,210 of our assessment or maybe we're required to test them 210 00:07:51,210 --> 00:07:53,640 and we're gonna bring in some specialists to assist us 211 00:07:53,640 --> 00:07:55,530 to make sure we don't break anything. 212 00:07:55,530 --> 00:07:58,590 Now, either of those two options is perfectly acceptable. 213 00:07:58,590 --> 00:08:01,020 It's just important to agree to it upfront 214 00:08:01,020 --> 00:08:03,600 and detail that decision inside of the contract 215 00:08:03,600 --> 00:08:05,640 and your scope of the engagement. 216 00:08:05,640 --> 00:08:07,260 Now, when planning an assessment, 217 00:08:07,260 --> 00:08:09,570 it's also important to ensure that the organization 218 00:08:09,570 --> 00:08:12,330 understands that the assessment is just a snapshot 219 00:08:12,330 --> 00:08:14,460 of their current security posture. 220 00:08:14,460 --> 00:08:16,530 If we completed an assessment today, 221 00:08:16,530 --> 00:08:18,240 it can only tell the organization 222 00:08:18,240 --> 00:08:21,270 what vulnerabilities existed as of today. 223 00:08:21,270 --> 00:08:23,610 A new vulnerability may be discovered in a week 224 00:08:23,610 --> 00:08:26,550 and it may have taken us three weeks to finalize a report. 225 00:08:26,550 --> 00:08:29,820 Obviously, our assessment, and in turn our report, 226 00:08:29,820 --> 00:08:32,429 are not gonna cover that new vulnerability. 227 00:08:32,429 --> 00:08:34,409 When you're negotiating an assessment, 228 00:08:34,409 --> 00:08:36,840 be clear that this is a point in time assessment 229 00:08:36,840 --> 00:08:39,000 and this means that you're only gonna be held liable 230 00:08:39,000 --> 00:08:41,039 for disclosing the vulnerabilities that were discovered 231 00:08:41,039 --> 00:08:42,900 at the time of the assessment. 232 00:08:42,900 --> 00:08:45,300 After all, new vulnerabilities are discovered 233 00:08:45,300 --> 00:08:46,560 every single day 234 00:08:46,560 --> 00:08:47,850 and you can't be expected to know 235 00:08:47,850 --> 00:08:51,000 about a vulnerability that hasn't been discovered yet. 236 00:08:51,000 --> 00:08:53,340 Finally, your client also needs to determine 237 00:08:53,340 --> 00:08:56,100 how comprehensive the engagement needs to be. 238 00:08:56,100 --> 00:08:59,100 Are you gonna go out and look for every single vulnerability 239 00:08:59,100 --> 00:09:01,350 or are we just trying to find at least one way 240 00:09:01,350 --> 00:09:03,180 to break into the network? 241 00:09:03,180 --> 00:09:06,450 While some clients want the former, others want the latter. 242 00:09:06,450 --> 00:09:08,460 This is another key consideration 243 00:09:08,460 --> 00:09:11,520 as it will greatly affect the size, scope, and duration 244 00:09:11,520 --> 00:09:14,730 of the assessment and the resources that it requires. 245 00:09:14,730 --> 00:09:17,430 Remember, the more comprehensive the engagement, 246 00:09:17,430 --> 00:09:20,340 the longer the duration and the larger the scope. 247 00:09:20,340 --> 00:09:21,540 Another thing to determine 248 00:09:21,540 --> 00:09:23,370 is which parts of the organization 249 00:09:23,370 --> 00:09:25,980 are going to be included in this assessment? 250 00:09:25,980 --> 00:09:28,110 Are we testing the entire organization 251 00:09:28,110 --> 00:09:30,390 or just the information technology department? 252 00:09:30,390 --> 00:09:31,440 Whichever it is, 253 00:09:31,440 --> 00:09:33,420 it needs to be agreed upon upfront 254 00:09:33,420 --> 00:09:35,220 during the planning and scoping phase 255 00:09:35,220 --> 00:09:37,080 and then detailed in your final report 256 00:09:37,080 --> 00:09:39,330 during the reporting and communication phase. 257 00:09:40,466 --> 00:09:42,553 (soft tones) 19640